Chewing_Bever
/
otter
1
0
Fork 0
Code Issues 9 Packages Activity

refactor: moved auth business logic outside of db using store abstraction

Jef Roosens 2025-03-15 18:28:40 +01:00
parent 78a274e01f
commit 54a723f803
No known key found for this signature in database
GPG Key ID: 21FD3D77D56BAF49
8 changed files with 179 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/cli/serve.rs
View File

@ -6,9 +6,11 @@ pub fn serve(config: &crate::config::Config) -> u8 {
tracing::info!("Initializing database and running migrations"); tracing::info!("Initializing database and running migrations");
let pool = db::initialize_db(config.data_dir.join(crate::DB_FILENAME), true).unwrap(); let pool = db::initialize_db(config.data_dir.join(crate::DB_FILENAME), true).unwrap();
let repo = db::SqliteRepository::from(pool);
let ctx = server::Context { let ctx = server::Context {
repo: db::SqliteRepository::from(pool), repo: repo.clone(),
store: crate::gpodder::GpodderRepository::new(Box::new(repo)),
}; };
let app = server::app(ctx); let app = server::app(ctx);

60
src/db/repository/auth.rs
View File

@ -1,3 +1,4 @@
use chrono::DateTime;
use diesel::prelude::*; use diesel::prelude::*;
use rand::Rng; use rand::Rng;
@ -19,6 +20,16 @@ impl From<diesel::result::Error> for gpodder::AuthErr {
} }
} }
impl From<db::User> for gpodder::User {
fn from(value: db::User) -> Self {
Self {
id: value.id,
username: value.username,
password_hash: value.password_hash,
}
}
}
impl gpodder::AuthRepository for SqliteRepository { impl gpodder::AuthRepository for SqliteRepository {
fn validate_credentials( fn validate_credentials(
&self, &self,
@ -35,6 +46,7 @@ impl gpodder::AuthRepository for SqliteRepository {
Ok(gpodder::User { Ok(gpodder::User {
id: user.id, id: user.id,
username: user.username, username: user.username,
password_hash: user.password_hash,
}) })
} else { } else {
Err(gpodder::AuthErr::InvalidPassword) Err(gpodder::AuthErr::InvalidPassword)
@ -54,6 +66,7 @@ impl gpodder::AuthRepository for SqliteRepository {
Ok(user) => Ok(gpodder::User { Ok(user) => Ok(gpodder::User {
id: user.id, id: user.id,
username: user.username, username: user.username,
password_hash: user.password_hash,
}), }),
Err(diesel::result::Error::NotFound) => Err(gpodder::AuthErr::UnknownSession), Err(diesel::result::Error::NotFound) => Err(gpodder::AuthErr::UnknownSession),
Err(err) => Err(gpodder::AuthErr::Other(Box::new(err))), Err(err) => Err(gpodder::AuthErr::Other(Box::new(err))),
@ -88,6 +101,7 @@ impl gpodder::AuthRepository for SqliteRepository {
gpodder::User { gpodder::User {
id: user.id, id: user.id,
username: user.username, username: user.username,
password_hash: user.password_hash,
}, },
)) ))
} else { } else {
@ -122,3 +136,49 @@ impl gpodder::AuthRepository for SqliteRepository {
} }
} }
} }
impl gpodder::AuthStore for SqliteRepository {
fn get_user(&self, username: &str) -> Result<Option<gpodder::models::User>, AuthErr> {
Ok(users::table
.select(db::User::as_select())
.filter(users::username.eq(username))
.first(&mut self.pool.get()?)
.optional()?
.map(gpodder::User::from))
}
fn get_session(&self, session_id: i64) -> Result<Option<gpodder::models::Session>, AuthErr> {
match sessions::table
.inner_join(users::table)
.filter(sessions::id.eq(session_id))
.select((db::Session::as_select(), db::User::as_select()))
.get_result(&mut self.pool.get()?)
{
Ok((session, user)) => Ok(Some(gpodder::Session {
id: session.id,
last_seen: DateTime::from_timestamp(session.last_seen, 0).unwrap(),
user: user.into(),
})),
Err(err) => Err(AuthErr::from(err)),
}
}
fn remove_session(&self, session_id: i64) -> Result<(), AuthErr> {
Ok(
diesel::delete(sessions::table.filter(sessions::id.eq(session_id)))
.execute(&mut self.pool.get()?)
.map(|_| ())?,
)
}
fn insert_session(&self, session: &gpodder::Session) -> Result<(), AuthErr> {
Ok(db::Session {
id: session.id,
user_id: session.user.id,
last_seen: session.last_seen.timestamp(),
}
.insert_into(sessions::table)
.execute(&mut self.pool.get()?)
.map(|_| ())?)
}
}

16
src/gpodder/mod.rs
View File

@ -1,6 +1,8 @@
pub mod models; pub mod models;
mod repository;
pub use models::*; pub use models::*;
pub use repository::GpodderRepository;
pub enum AuthErr { pub enum AuthErr {
UnknownSession, UnknownSession,
@ -27,6 +29,20 @@ pub trait AuthRepository {
fn remove_session(&self, username: &str, session_id: i64) -> Result<(), AuthErr>; fn remove_session(&self, username: &str, session_id: i64) -> Result<(), AuthErr>;
} }
pub trait AuthStore {
/// Retrieve the session with the given session ID
fn get_session(&self, session_id: i64) -> Result<Option<models::Session>, AuthErr>;
/// Retrieve the user with the given username
fn get_user(&self, username: &str) -> Result<Option<models::User>, AuthErr>;
/// Create a new session for a user with the given session ID
fn insert_session(&self, session: &Session) -> Result<(), AuthErr>;
/// Remove the session with the given session ID
fn remove_session(&self, session_id: i64) -> Result<(), AuthErr>;
}
pub trait DeviceRepository { pub trait DeviceRepository {
/// Return all devices associated with the user /// Return all devices associated with the user
fn devices_for_user(&self, user: &User) -> Result<Vec<Device>, AuthErr>; fn devices_for_user(&self, user: &User) -> Result<Vec<Device>, AuthErr>;

9
src/gpodder/models.rs
View File

@ -1,10 +1,11 @@
use chrono::NaiveDateTime; use chrono::{DateTime, NaiveDateTime, Utc};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
#[derive(Clone)] #[derive(Clone)]
pub struct User { pub struct User {
pub id: i64, pub id: i64,
pub username: String, pub username: String,
pub password_hash: String,
} }
#[derive(Serialize, Deserialize)] #[derive(Serialize, Deserialize)]
@ -57,3 +58,9 @@ pub struct EpisodeAction {
#[serde(flatten)] #[serde(flatten)]
pub action: EpisodeActionType, pub action: EpisodeActionType,
} }
pub struct Session {
pub id: i64,
pub last_seen: DateTime<Utc>,
pub user: User,
}

74
src/gpodder/repository.rs 100644
View File

@ -0,0 +1,74 @@
use std::sync::Arc;
use argon2::{Argon2, PasswordHash, PasswordVerifier};
use rand::Rng;
use super::{models, AuthErr, AuthStore};
const MAX_SESSION_AGE: i64 = 60 * 60 * 24 * 7;
type Store = dyn AuthStore + Send + Sync;
#[derive(Clone)]
pub struct GpodderRepository {
store: Arc<Store>,
}
impl GpodderRepository {
pub fn new(store: Box<Store>) -> Self {
Self {
store: Arc::from(store),
}
}
pub fn validate_session(&self, session_id: i64) -> Result<models::Session, AuthErr> {
let session = self
.store
.get_session(session_id)?
.ok_or(AuthErr::UnknownSession)?;
// Expired sessions still in the database are considered removed
if chrono::Utc::now() - session.last_seen
> chrono::TimeDelta::new(MAX_SESSION_AGE, 0).unwrap()
{
Err(AuthErr::UnknownSession)
} else {
Ok(session)
}
}
pub fn validate_credentials(
&self,
username: &str,
password: &str,
) -> Result<models::User, AuthErr> {
let user = self.store.get_user(username)?.ok_or(AuthErr::UnknownUser)?;
let password_hash = PasswordHash::new(&user.password_hash).unwrap();
if Argon2::default()
.verify_password(password.as_bytes(), &password_hash)
.is_ok()
{
Ok(user)
} else {
Err(AuthErr::InvalidPassword)
}
}
pub fn create_session(&self, user: &models::User) -> Result<models::Session, AuthErr> {
let session = models::Session {
id: rand::thread_rng().gen(),
last_seen: chrono::Utc::now(),
user: user.clone(),
};
self.store.insert_session(&session)?;
Ok(session)
}
pub fn remove_session(&self, session_id: i64) -> Result<(), AuthErr> {
self.store.remove_session(session_id)
}
}

23
src/server/gpodder/advanced/auth.rs
View File

@ -12,13 +12,10 @@ use axum_extra::{
TypedHeader, TypedHeader,
}; };
use crate::{ use crate::server::{
gpodder::AuthRepository, error::{AppError, AppResult},
server::{ gpodder::SESSION_ID_COOKIE,
error::{AppError, AppResult}, Context,
gpodder::SESSION_ID_COOKIE,
Context,
},
}; };
pub fn router() -> Router<Context> { pub fn router() -> Router<Context> {
@ -38,14 +35,17 @@ async fn post_login(
return Err(AppError::BadRequest); return Err(AppError::BadRequest);
} }
let (session_id, _) = tokio::task::spawn_blocking(move || { let session = tokio::task::spawn_blocking(move || {
ctx.repo.create_session(auth.username(), auth.password()) let user = ctx
.store
.validate_credentials(auth.username(), auth.password())?;
ctx.store.create_session(&user)
}) })
.await .await
.unwrap()?; .unwrap()?;
Ok(jar.add( Ok(jar.add(
Cookie::build((SESSION_ID_COOKIE, session_id.to_string())).expires(Expiration::Session), Cookie::build((SESSION_ID_COOKIE, session.id.to_string())).expires(Expiration::Session),
)) ))
} }
@ -60,7 +60,8 @@ async fn post_logout(
.parse() .parse()
.map_err(|_| AppError::BadRequest)?; .map_err(|_| AppError::BadRequest)?;
tokio::task::spawn_blocking(move || ctx.repo.remove_session(&username, session_id)) // TODO reintroduce username check
tokio::task::spawn_blocking(move || ctx.store.remove_session(session_id))
.await .await
.unwrap()?; .unwrap()?;

13
src/server/gpodder/mod.rs
View File

@ -17,10 +17,7 @@ use axum_extra::{
}; };
use tower_http::set_header::SetResponseHeaderLayer; use tower_http::set_header::SetResponseHeaderLayer;
use crate::{ use crate::{gpodder, server::error::AppError};
gpodder::{self, AuthRepository},
server::error::AppError,
};
use super::Context; use super::Context;
@ -51,12 +48,12 @@ pub async fn auth_middleware(State(ctx): State<Context>, mut req: Request, next:
.and_then(|c| c.value().parse::<i64>().ok()) .and_then(|c| c.value().parse::<i64>().ok())
{ {
let ctx_clone = ctx.clone(); let ctx_clone = ctx.clone();
match tokio::task::spawn_blocking(move || ctx_clone.repo.validate_session(session_id)) match tokio::task::spawn_blocking(move || ctx_clone.store.validate_session(session_id))
.await .await
.unwrap() .unwrap()
{ {
Ok(user) => { Ok(session) => {
auth_user = Some(user); auth_user = Some(session.user);
} }
Err(gpodder::AuthErr::UnknownSession) => { Err(gpodder::AuthErr::UnknownSession) => {
jar = jar.add( jar = jar.add(
@ -77,7 +74,7 @@ pub async fn auth_middleware(State(ctx): State<Context>, mut req: Request, next:
.await .await
{ {
match tokio::task::spawn_blocking(move || { match tokio::task::spawn_blocking(move || {
ctx.repo ctx.store
.validate_credentials(auth.username(), auth.password()) .validate_credentials(auth.username(), auth.password())
}) })
.await .await

1
src/server/mod.rs
View File

@ -7,6 +7,7 @@ use tower_http::trace::TraceLayer;
#[derive(Clone)] #[derive(Clone)]
pub struct Context { pub struct Context {
pub repo: crate::db::SqliteRepository, pub repo: crate::db::SqliteRepository,
pub store: crate::gpodder::GpodderRepository,
} }
pub fn app(ctx: Context) -> Router { pub fn app(ctx: Context) -> Router {